# Brazil's LGPD and driver GPS data: what employers can and cannot do > Mileage tracked by GPS in Brazil falls under LGPD. How to configure collection without exposing the company. **Author:** Marina Costa — Brazilian Tax & Compliance Specialist **Published:** 2026-04-30 **Updated:** 2026-04-30 **URL:** https://quilometragem.com/blog/brazils-lgpd-and-driver-gps-data-what-employers-can-and-cannot-do **TL;DR:** Tracking mileage via GPS is LGPD-compatible with a real legal basis, limited purpose, and a work-hours-only collection window. - Basis: performance of contract + legitimate interest - RIPD above ~100 drivers - Collection only during work hours - 5-year retention for reimbursed trips - Subject-rights response in 15 days ## What LGPD considers location data Brazil's LGPD (Law 13,709/2018) classifies geolocation data as ordinary personal data when tied to an identified individual — which is always the case when an employer tracks an employee's vehicle. Combined with timing and pattern, location may reveal health, religion, or sexual orientation, escalating it to sensitive data and a stricter legal basis. ## Legal bases for mileage tracking The ANPD recognizes three workable bases for GPS-based mileage: 1. **Performance of contract** (Art. 7-V) — strongest when tracking is necessary to compute reimbursement. 2. **Legitimate interest** (Art. 7-IX) — requires a Data Protection Impact Assessment (RIPD). 3. **Consent** (Art. 7-I) — fragile in employment relationships and discouraged as the primary basis. The safe pattern is performance of contract + legitimate interest with a documented RIPD. ## Principles to respect Purpose (mileage only — not personal-life surveillance), necessity (only during work hours), adequacy (precision sufficient for route calculation, not 5-second polling), transparency (employee knows what, when, for how long), and security (TLS 1.2+ in transit, AES-256 at rest, role-based access). ## Collection window: work hours only Good apps offer a 'personal mode' that pauses GPS. Document when collection starts (shift start), when it stops (shift end), and when the driver can pause it (lunch, personal errands, on-call breaks). Off-hours collection — even accidental — is misuse under LGPD. ## Retention Keep location data tied to reimbursed trips for 5 years (federal tax statute of limitations). After that, anonymize or delete. Location data tied to rejected or personal trips: delete within 30 days. ## Data subject rights The employee can request access, correction, deletion (after the tax window), portability (CSV/JSON), and consent revocation. Respond within 15 days. ## When a RIPD is required Whenever tracking covers more than ~100 drivers, involves systematic monitoring, or feeds automated reimbursement decisions. In practice, any business tracking more than 50 drivers should produce and maintain a RIPD for the mileage purpose. ## Incident reporting Security incidents involving location data must be reported to ANPD per Resolução CD/ANPD 15/2024 — within 3 business days when the incident could cause material harm. ## Practical checklist 1. Contract clause covering GPS tracking for reimbursement. 2. Internal privacy policy specific to location data. 3. Documented RIPD reviewed annually. 4. Technical config limiting collection to work hours. 5. Subject-rights process under 15 days. 6. Incident-response plan aligned to Resolução CD/ANPD 15/2024. ## Frequently asked questions ### Can I track the employee's vehicle 24/7? No. Off-hours collection is disproportionate and breaks the necessity principle. Configure auto-pause. ### Do I need written consent? Best basis is performance of contract + employment clause, not consent. Consent is rarely 'free' in an employment relationship. ## Sources - [Lei 13.709/2018 — Lei Geral de Proteção de Dados](https://www.planalto.gov.br/ccivil_03/_ato2015-2018/2018/lei/l13709.htm) — Presidência da República (2026-04-30) - [Resolução CD/ANPD nº 15/2024 — Comunicação de incidentes](https://www.gov.br/anpd/) — Autoridade Nacional de Proteção de Dados (2026-04-30) - [ANPD — Guia de elaboração do RIPD](https://www.gov.br/anpd/pt-br/documentos-e-publicacoes) — Autoridade Nacional de Proteção de Dados (2026-04-30)